The company previously disclosed that outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password.

“Based on the ongoing investigation, we believe an unauthorised third party accessed our proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used,” Lord said.

Yahoo says it was notifying the account holders affected. They will be required to change their passwords.

“We have also invalidated unencrypted security questions and answers so that they cannot be used to access an account,” added Lord.

Yahoo said it had connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft disclosed on September 22.